Application Layer Defense (BP1, BP2) - AWS Best Practices for DDoS Resiliency

Application Layer Defense (BP1, BP2)

Many of the techniques discussed in this paper are effective at mitigating the impact that infrastructure layer DDoS attacks have on your application’s availability. To also defend against application layer attacks requires you to implement an architecture that allows you to specifically detect, scale to absorb, and block malicious requests. This is an important consideration because network-based DDoS mitigation systems are generally ineffective at mitigating complex application layer attacks.

Detect and Filter Malicious Web Requests (BP1, BP2)

When your application runs on AWS, you can leverage both Amazon CloudFront and AWS WAF to help defend against application layer DDoS attacks.

Amazon CloudFront allows you to cache static content and serve it from AWS edge locations, which can help reduce the load on your origin. It can also help reduce server load by preventing non-web traffic from reaching your origin. Additionally, CloudFront can automatically close connections from slow reading or slow writing attackers (for example, Slowloris).

By using AWS WAF, you can configure web access control lists (Web ACLs) on your CloudFront distributions or Application Load Balancers to filter and block requests based on request signatures. Each Web ACL consists of rules that you can configure to string match or regex match one or more request attributes, such as the URI, query string, HTTP method, or header key. In addition, by using AWS WAF's rate-based rules, you can automatically block the IP addresses of bad actors when requests matching a rule exceed a threshold that you define. Requests from offending client IP addresses will receive 403 Forbidden error responses and will remained blocked until request rates drop below the threshold. This is useful for mitigating HTTP flood attacks that are disguised as regular web traffic.

To block attacks from known bad acting IP addresses, you can create rules using IP match conditions or use Managed Rules for AWS WAF offered by sellers in the AWS Marketplace that will block specific malicious IP addresses that are included in IP reputation lists. Both AWS WAF and Amazon CloudFront also allow you to set geo-restrictions to block or whitelist requests from selected countries. This can help block attacks originating from geographic locations where you do not expect to serve users.

To help identify malicious requests, review your web server logs or use AWS WAF’s logging and Sampled Requests features. With AWS WAF logging, get detailed information about traffic that is analyzed by your Web ACL. Information that is contained in the logs include the time that AWS WAF received the request from your AWS resource, detailed information about the request, and the action for the rule that each request matched. Sampled Requests provides details about requests that have matched one of your AWS WAF rules for a period of time in the past 3 hours. You can use this information to identify potentially malicious traffic signatures and create a new rule to deny those requests. If you see a number of requests with a random query string, make sure to whitelist only the query string parameters that are relevant to be cached for your application (using ‘Query String Whitelist’ in CloudFront). This technique is helpful in mitigating a cache busting attack against your origin.

If you are subscribed to AWS Shield Advanced, you can engage the AWS DDoS Response Team (DRT) to help you create rules to mitigate an attack that is hurting your application’s availability. DRT can only gain limited access to your account, and only with your explicit authorization. For more information, see the Support section in this document.

You can use AWS Firewall Manager to centrally configure and manage AWS WAF rules across your organization. Your AWS Organizations master account can designate an administrator account, which is authorized to create Firewall Manager policies. These policies allow you to define criteria, like resource type and tags, which determine where rules are applied. This is useful in case you have many accounts and want to standardize your protection. Firewall Manager also allows you to create policies that manage AWS Shield protected resources and VPC security groups.

To learn more about using geo restriction to limit access to your Amazon CloudFront distribution, see Restricting the Geographic Distribution of Your Content.

To learn more about using AWS WAF, see Getting Started with AWS WAF, Logging Web ACL Traffic Information, and Viewing a Sample of Web Requests.

To learn more about configuring rate-based rules, see Protect Web Sites & Services Using Rate-Based Rules for AWS WAF.

To learn how to manage the deployment of AWS WAF rules across your AWS resources with AWS Firewall Manager, see Getting Started with AWS Firewall Manager to Enable AWS WAF Classic Rules.